On Sun, 2001-12-02 at 09:43, Volker Kuhlmann wrote: > About the danger-levels of wu-ftpd: there are people who say that it > isn't worse than the alternatives since SuSE did a security audit on > it 2 or 3 years ago. Of course an audit is no gurantee, but this is the > first major problem in wu-ftpd since then. The others (proftp, bsd-ftp)
Sorry, but the last major bug was only last year (June 2000 according to the SecurityFocus advisory). When I was working at the Uni you may remember I gave a talk about hacking. In it I used this vulnerability to demonstrate how easy it is to get root access on a vulnerable Linux box. A search of the keyword 'wu-ftpd' on the SecurityFocus vulnerability list will return a number of vulnerabilities. Proftpd also has vulnerabilities but I don't think they've been as widely exploited as Wu-ftpd. The moral of course is to avoid running any service unless you really need it and to have a properly configured firewall. Unfortunately most systems in the real world are not secure. This is bad for the businesses with these systems, but good for me as a security consultant since I'm kept more than busy fixing them :) Kerry
